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Abstract 


The  insider  threat  continues  to  be  one  of  the  prime  issues  facing  government  entities  and  organi¬ 
zations  across  critical  infrastructure  sectors.  Extensive  catalogues  of  case  material  from  actual 
insider  events  have  been  used  by  CERT®,  part  of  Carnegie  Mellon  University’s  Software  Engi¬ 
neering  Institute,  to  create  socio-technical  models  of  insider  crime  to  help  educate  organizations 
on  the  risk  of  insider  crime.  Building  upon  this  work,  this  paper  seeks  to  demonstrate  how  a  useful 
method  for  extracting  technical  information  from  previous  insider  crimes  and  mapping  it  to  pre¬ 
vious  modeling  work  can  create  informed  candidate  technical  controls  and  indicators.  This  paper 
also  shows  current  examples  of  case  material  and  candidate  indicators  that  have  been  successfully 
converted  into  well-received  insider  threat  training  modules. 
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1  Introduction 


Since  the  original  joint  study  on  insider  threat  conducted  by  the  U.S.  Secret  Service  and  the 
CERT®  Program  at  Carnegie  Mellon  University’s  Software  Engineering  Institute  in  2001,  CERT 
has  catalogued  over  400  cases  of  actual  insider  crimes  [CERT  2008].  The  CERT  Program’s  nearly 
10  years  of  studying  insider  threats  has  produced  several  interesting  reports  ranging  from  targeted 
examinations  of  individual  critical  infrastructure  sectors  to  system  dynamics  models  of  the  beha¬ 
vioral  and  technical  aspects  of  insider  crimes  [MERIT  2008].  Other  published  works  have  ex¬ 
amined  either  the  technical  or  the  behavioral  aspects  of  insider  threat  research.  However,  work  at 
the  intersection  of  both  the  technical  and  the  behavioral  aspects  of  insider  crime  is  sparse.  The 
CERT  Program’s  vision  for  the  ideal  insider  threat  detection  tool  is  one  based  on  a  predictive 
model  that  includes  both  technical  and  non-technical  indicator  identification  implemented  as  a 
series  of  detection  algorithms.  Each  algorithm  will  consist  of  chronological,  weighted  technical 
and  non-technical  indicators. 

This  paper  describes  how  CERT  is  building  upon  our  previous  work  in  the  modeling  arena  and 
leveraging  our  understanding  of  insider  behavior  to  begin  to  work  toward  that  vision.  We  are  cur¬ 
rently  undertaking  a  combination  of  metrics  research  to  identify  behavioral  and  technical  indica¬ 
tors,  relative  weights,  and  applied  research  to  create  technical  controls  that  map  to  case  informa¬ 
tion  as  potentially  effective  countermeasures  to  insider  threat.  We  are  using  a  novel  approach 
based  on  data  from  the  existing  CERT  Insider  Threat  Database.  This  approach  comprises  a  me¬ 
thod  for  extracting  technical  details  and  mapping  them  to  existing  tools.  In  this  paper,  we  describe 
an  example  of  how  early  work  in  this  area  has  turned  into  well-received  instractional  materials 
that  help  educate  interested  parties  on  new  countermeasures  against  the  threats  posed  by  insiders. 


CERT  is  registered  in  the  U.S.  Patent  and  Trademark  Office  by  Carnegie  Mellon  University. 
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2  Definitions 


CERT  defines  insider  threat  as  the  following: 

A  malicious  insider  is  a  current  or  former  employee,  contractor,  or  other  business  partner  who  has 
or  had  authorized  access  to  an  organization’s  network,  system  or  data  and  intentionally  exceeded 
or  misused  that  access  in  a  manner  that  negatively  affected  the  confidentiality,  integrity,  or  avail¬ 
ability  of  the  organization’s  information  or  information  systems. 

The  definition  is  clear  and  creates  a  scope  that  is  easy  to  manage  from  an  analytic  perspective. 
Throughout  the  remainder  of  this  paper,  this  definition  accommodates  all  references  to  insiders. 
The  most  recent  modification  to  this  definition,  the  addition  of  language  referencing  business 
partners,  is  addressed  in  a  related  work  that  shows  the  danger  of  insider  threats  from  non¬ 
employees  who  have  a  unique  business  relationship  with  an  organization  [Weiland  2010]. 
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3  Discussion  and  Reiated  Work 


Any  discussion  of  insider  crime,  particularly  of  the  technical  details  associated  with  these  crimes, 
should  be  tempered  by  considerations  of  the  types  of  data  available  to  researchers.  In  general, 
studying  insider  crime  begins  with  the  collection  of  open-source  case  information.  At  CERT,  a 
significant  portion  of  our  case  source  material  for  non-national-security  espionage  cases  is  ga¬ 
thered  from  freely  accessible  internet  news  sites,  blogs,  and  other  such  postings.  Where  possible 
and  practical,  we  also  collect  court  documents,  including  affidavits,  transcripts,  sentencing  infor¬ 
mation,  and  other  relevant  items  that  contain  information  about  the  crime.  From  both  media 
sources  and  court  documents,  we  learn  a  great  deal  about  the  insider  and  what  the  insider  stole  or 
damaged  at  the  victim  organization.  We  also  gain  a  general  understanding  of  the  sequence  of 
events  associated  with  the  case.  However,  in  many  cases,  the  technical  details  of  how  the  crime 
was  committed  are  not  available. 

This  lack  of  empirical  data  about  what  technical  vulnerabilities  were  exploited  makes  it  difficult 
to  develop  technical  controls  against  malicious  activity.  This  paper  seeks  to  provide  some  guid¬ 
ance  on  extracting  relevant  technical  information  from  previously  catalogued  cases  of  insider 
threat  to  develop  technical  controls  at  the  intersection  of  the  tool  space  and  previous  work  on  be¬ 
havioral  models.  However,  we  believe  that,  with  a  reasonable  degree  of  confidence,  in  even  vague 
technical  data,  a  skilled  analyst  can  determine  what  technical  countermeasures  would  be  effective 
against  insider  crimes,  even  if  all  an  analyst  knows  is  what  was  included  in  a  media  report.  Fre¬ 
quently,  we  find  that  knowing  the  exfiltration  method  and  the  source  and  destination  of  the  stolen 
asset  is  sufficient  to  do  a  great  deal  of  useful  analysis.  This  is  what  we  intend  to  demonstrate  in 
the  following  few  pages. 

Consider  also  that  a  large  number  of  cases  detected  by  victim  organizations  are  not  reported  to 
law  enforcement.  Last  year,  a  survey  conducted  by  CSO  magazine  in  cooperation  with  the  U.S. 
Secret  Service,  CERT,  and  Deloitte  revealed  that  72  percent  of  respondent  organizations  that  ex¬ 
perienced  at  least  one  malicious  insider  incident  in  the  previous  year  handled  the  incident  internal¬ 
ly  without  involving  law  enforcement  [CSO  2010].  More  interesting,  however,  are  the  reasons  for 
not  reporting  the  incident,  which  range  from  lack  of  evidence  (35  percent)  to  an  inability  to 
attribute  the  event  to  any  individual  malicious  actor  (29  percent)  to  the  fear  of  negative  publicity 
(15  percent).  These  are  concerning  figures,  and  while  somewhat  problematic  for  the  purposes  of 
research,  they  also  motivate  work  in  this  area  to  help  improve  the  ability  of  organizations  to  pre¬ 
vent,  detect,  and  respond  to  malicious  insiders. 

Another  important  consideration  here  is  that  while  the  method,  technical  controls,  and  indicators 
discussed  in  this  paper  are  all  rooted  in  extensive  case  files  and  previous  modeling  work,  they 
have  not  been  operationally  tested.  We  are  interested  in  testing  some  of  our  proposed  indicators 
for  effectiveness  on  operational  networks;  however,  at  this  time,  the  candidate  indicators  and  con¬ 
trols  remain  untested,  but  well-informed,  measures  for  insider  threat  defense. 

It  should  also  be  noted  that  this  work  relies  heavily  on  previous  work  developing  socio-technical 
models  of  insider  crime  using  system  dynamics  methods.  CERT  has  produced  several  of  these 
models  of  insider  crime  based  on  a  focused  analysis  of  cases  from  each  of  the  types  of  crimes  stu- 


CMU/SEI-2011-TN-003  |  3 


died  at  CERT,  combined  with  extensive  research  and  feedback  from  behavioral  psychologists, 
security  researchers,  and  management  experts.  These  works  have  been  well  received  and  serve  as 
an  interesting  mechanism  for  breaking  insider  crimes  down  into  manageable  feedback  loops  and 
common  trends.  The  statistics  and  conclusions  derived  from  these  works  form  the  foundation  for 
our  initial  work  in  control  development;  however,  this  is  not  intended  to  be  the  exclusive  input  for 
control  development.  A  sample  output  from  the  recent  work  on  intellectual  property  (IP)  theft 
modeling  is  shown  below  in  Figure  1  [Moore  2009]. 

^  ^  insider  sense  of 

insider  desiro  to  to\alt>'  to 

contribulc  to  organizition 


Figure  1:  The  “Entitled  Independent  Model”  of  Insider  Theft  of  IP 


It  is  also  worth  noting  that  there  are  other  pieces  of  significant  insider  threat  research  that  can  be 
used  as  platforms  for  deriving  candidate  controls  and  indicators.  Models  and  studies  that  are  of 
interest  include  behavioral  models  from  Shaw,  Ruby,  and  Post  [Shaw  1998]  and  extensive  work 
done  by  Herbig  and  Wiskoff  at  the  Department  of  Defense’s  (DoD)  Defense  Personnel  Security 
Research  Center  [Herbig  2002],  particularly  for  the  study  of  national  security  espionage.  There 
are  still  other  works  in  related  areas,  such  as  misuse  detection  algorithms,  that  can  also  serve  as  an 
informative  source  when  creating  candidate  controls  [Cathey  2003].  Also,  there  are  many  robust 
commercial  suites,  particularly  in  the  data  loss  prevention  (DLP)  space  that  can  perform  a  wide 
range  of  data  collection  that  make  for  an  excellent  set  upon  which  to  apply  candidate  controls  and 
indicators  to  test  for  effectiveness.  We  feel  this  work  complements  other,  more  focused  work  in 
the  tool  space  by  directing  research  toward  high-impact  insiders’  exploits  observed  in  our  data¬ 
base. 
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4  Case  Categories 


At  the  time  of  this  writing,  the  CERT  Insider  Threat  Database,  henceforth  referred  to  as  “the  data¬ 
base,”  includes  over  400  cases  of  insider  crime  that  have  been  tried  in  the  court  system  and  that 
produced  a  conviction  or  guilty  plea.  The  three  core  types  of  cases  include  IT  sabotage,  insider 
fraud,  and  insider  theft  of  IP.  A  fourth,  but  smaller,  category  exists  for  miscellaneous  insider 
crimes  that  do  not  fit  in  one  of  the  three  core  categories.  CERT  also  studies  national  security  es¬ 
pionage  involving  classified  information  stolen  by  malicious  insiders;  however,  that  content  is  out 
of  scope  for  the  work  described  in  this  paper. 

This  paper  focuses  on  cases  of  IP  theft.  CERT  defines  this  type  of  crime  as  an  insider’s  use  of 
information  technology  (IT)  to  steal  IP  from  an  organization.  We  also  include  critical  and  sensi¬ 
tive  organizational  information  in  our  use  of  IP.  This  category  includes  industrial  espionage  in¬ 
volving  insiders  [Cappelli  2009].  A  forthcoming  paper  describes  deeper  analysis  of  this  case  set; 
however,  this  work  describes  the  underlying  methodology  and  some  preliminary  findings. 
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5  Method 


For  a  first  pass  at  indicator  development,  we  considered  extracting  relevant  technical  details  about 
how  the  insider  event  was  perpetrated,  what  assets  were  targeted,  the  mode  of  exfiltration,  and 
any  items  of  interest  that  could  help  to  provide  context  for  our  analysis.  This  created  a  useful 
framework  for  quick  comparison  across  cases.  An  example  is  included  in  the  table  below. 


Table  1:  An  Example  Insider  Threat  Case  Decomposed 


Attribute 

Sampie  Case 

Incident  identifier 

Sample  ID 

Incident  summary 

Insider  engaged  in  discussions  with  the  chair  of  a  foreign  competing  firm 
regarding  employment  opportunities  for  the  insider  at  the  competing  firm. 
Insider  agreed  to  steal  information  from  the  victim  firm  and  bring  it  to  the 
competing  firm  in  exchange  for  a  job. 

Asset  attacked/target 

Business  plans,  trade  secrets,  engineering  and  design  specs 

Source 

Electronic  documents,  email  attachments 

Method  of  exfiltration 

Remote  network  access,  electronic  theft  of  documents 

Exfiltration  comments 

Insider  compressed  files  and  sent  via  corporate  mail  to  competing  firm. 

Candidate  Controis 

Prevention 

Clarify  ownership  of  IP,  disallow  remote  access,  disallow  sending  of  sen¬ 
sitive  materials  and  messages  for  competing  domains,  restrict  access  to 
sensitive  information,  improve  filtering,  employ  digital  rights  management. 

Detection 

Monitor  behavior  between  resignation  and  termination,  monitor  remote 
access,  monitor  access  after  normal  working  hours,  monitor  user  network 
activity  and  downloads,  monitor  traffic  to/from  competitor  domains. 

Incident  response 

Disallow  remote  access,  audit  access  controls,  audit  user  activity,  audit 
remote  access  logs,  audit  email  logs,  audit  traffic  to/from  competitor  do¬ 
mains. 
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For  each  attribute,  we  allow  several  standard  responses.  We  developed  the  standard  responses 
based  on  prior  experience  with  the  data  set,  though  responses  could  be  modified  in  the  future  to 
accommodate  changes  in  tactics  by  insiders  or  by  types  of  assets  targeted  in  other  insider  crimes, 
particularly  IT  sabotage,  since  the  goals  of  the  malicious  insider  clearly  differ  in  sabotage  as  op¬ 
posed  to  theft  of  IP. 

The  only  free-text  field  in  the  database  is  the  Incident  Summary  for  each  incident.  This  allows  an 
analyst  working  with  this  data  set  to  quickly  obtain  context  for  the  remaining  material  without 
having  to  work  through  the  raw  data  used  to  code  an  insider  threat  case  in  our  database.  This  is 
not  intended  to  provide  an  analyst  with  the  background  required  to  become  an  expert  on  the  case. 
Rather,  it  is  intended  to  serve  as  a  quick  refresher  on  critical  details  when  sifting  through  multiple 
cases  from  a  sampled  data  set.  Since  source  material  could  easily  number  in  the  tens,  if  not  hun¬ 
dreds,  of  pages,  a  good  summary  is  critical. 

Next,  when  addressing  the  type  of  asset  attacked,  we  allow  different  types  of  assets  at  roughly  the 
same  level  of  abstraction,  such  as  trade  secrets,  customer  information,  source  code,  business 
plans,  internal  business  information,  and  proprietary  software.  The  attribute  allows  selection  of 
one  or  more  asset  types,  with  the  understanding  that  there  may  be  overlap  between  two  or  more 
asset  types  given  the  information  stolen  or  the  critical  infrastructure  sector  in  which  the  case  ori¬ 
ginated.  As  will  be  shown  in  a  forthcoming  work  by  Hanley  and  associates,  we  find  that  trade 
secrets  are  the  most  frequently  attacked  asset  type.*  This  finding  is  based  on  a  pool  of  50  IP  theft 
cases  documented  in  the  database.  In  this  pool,  trade  secret  theft  represented  over  half  of  the  cas¬ 
es.  In  roughly  one-fourth  of  those  cases,  more  than  one  type  of  asset  was  targeted  by  the  insider. 

We  also  categorize  the  source  material  associated  with  data  stolen  in  various  states,  such  as  elec¬ 
tronic  documents,  databases,  printed  documents,  and  so  on.  Since  some  data-loss-prevention  tool 
suites  have  capabilities  associated  with  detection  and  prevention  of  sensitive  print  jobs,  access  to 
certain  document  types,  or  the  disallowance  of  certain  database  queries,  we  felt  this  was  a  useful 
distinction  to  include  in  the  database  for  future  study.  Also,  it  is  helpful  to  understand  the  stolen 
asset’s  format,  particularly  when  discussing  whether  or  not  the  data  was  physically  exfiltrated 
from  an  organization  (digital  media  or  printed  documents)  or  exfiltrated  over  the  network  (email 
with  a  sensitive  attachment)  in  the  following  fields. 

Lastly,  we  look  at  the  methods  used  to  exfiltrate  the  data.  We  do  recognize  that  multiple  network 
protocols  and  physical  assets  can  be  used  to  exfiltrate  information.  However,  we  try  to  identify  the 
primary  technical  methods  or  protocols  used  to  facilitate  the  crime,  such  as  a  large-volume  down¬ 
load  over  VPN,  email  to  a  direct  competitor,  and  so  on.  This  is  one  of  the  more  important  technic¬ 
al  items  we  catalogue  because  physical  exfiltration  and  networked  exfiltration  appear  to  have  very 
different  implications  when  considering  tools  and  countermeasures.  In  the  previously  mentioned 
publication,  from  our  50-case  sample,  we  found  32  cases  involved  exfiltration  of  at  least  one  sto¬ 
len  asset  via  the  network,  with  email  and  remote  file  transfers  over  VPN  being  the  most  frequent 
protocols  used  to  move  the  stolen  data.  More  concerning,  roughly  one-third  of  these  cases  in¬ 
volved  remote  network  access  after  normal  business  hours.  Where  insiders  used  physical  exfiltra- 


Hanley,  M.  P.,  et  al.  “An  Analysis  of  Technical  Observations  in  Insider  Theft  of  Intellectual  Property  Cases.” 
Software  Engineering  Institute,  Carnegie  Mellon  University,  Forthcoming. 
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tion  for  stealing  the  information,  their  two  most  frequently  used  tools  were  a  work-issued  laptop 
and  removable  media,  such  as  a  USB  drive  or  writable  CD. 

We  also  use  previously  developed  CERT  best  practices  [Cappelli  2009]  to  describe  new  control 
strategies  in  three  areas:  prevention  of  the  crime,  detection  of  the  crime,  and  mitigation  or  re¬ 
sponse  measures  to  the  crime.  There  are  tool  strategies  that  cover  all  three  areas;  however,  we 
delineate  them  specifically  with  the  intention  of  providing  a  multifaceted  technical  approach  to 
this  problem.  For  example,  an  organization  with  a  well-instrumented  network  that  is  looking  to 
bolster  its  incident  response  capabilities  can  derive  benefit  from  our  suggested  insider-threat- 
specific  strategies  for  mitigation  and  response.  This  allows  for  a  piecemeal  approach  to  insider 
threat  defense  by  picking  and  choosing  the  suggested  controls  that  represent  low-hanging  fruit  to 
an  organization’s  IT  department.  Once  these  strategies  have  been  enumerated  in  abstract  terms, 
we  focus  on  translating  these  controls  to  a  set  of  real-world  tools  and  policy  measures  packaged 
for  quick  deployment  in  an  organization  as  an  operational  capability. 

Lastly,  we  are  looking  to  identify  cases  of  insider  incidents  that  could  have  been  prevented 
through  the  use  of  specific  best-in-class  commercial  or  open-source  tool  suites  designed  to  pre¬ 
vent  data  loss  or  specifically  marketed  as  insider  threat  defensive  tools.  Note  that  our  suggested 
mitigation  strategies  often  consist  of  technical  measures  combined  with  policies  and  processes 
based  on  patterns  in  the  crimes  identified  in  our  previous  modeling  work.  In  a  forthcoming  work, 
we  will  examine  this  more  closely  by  reviewing  several  best-in-class  tools  and  their  capabilities 
and  how  those  tools  could  have  been  successful  at  preventing,  detecting,  and  responding  to  the 
actions  committed  by  insiders  in  various  cases.  For  the  purposes  of  this  work,  we  show  how  pro¬ 
viding  standardized  generic  controls  provide  the  basis  for  mapping  these  ideas  back  to  specific 
operational  tools. 
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6  Case  Examples 


Recently,  the  Insider  Threat  Center  at  CERT  selected  a  set  of  insider  theft  of  IP  cases  for  deeper 
study.  An  example  of  how  this  framework  is  applied  to  an  actual,  but  anonymized,  case  demon¬ 
strates  the  usefulness  of  this  method  for  identifying  new  countermeasures.  The  example  employs 
tools  already  being  used  by  many  organizations  and  captures  them  as  instructional  assets  to  con¬ 
vey  to  analysts,  managers,  and  other  persons  with  an  interest  in  insider  threat  defense. 

The  case  example  used  included  several  interesting  factors  and  aligned  closely  with  the  recent  IP 
theft  system  dynamics  models  produced  for  this  type  of  crime.  We  know  that  insiders  who  steal  IP 
are  typically  scientists,  engineers,  or  programmers.  They  steal  assets  they  created  and  to  which 
they  have  authorized  access.  The  insiders  usually  steal  the  information  within  30  days  of  announc¬ 
ing  their  resignation  [Moore  2009].  Common  exfiltration  methods  include  sending  email  to  com¬ 
petitors  or  foreign  organizations,  using  personal  email  accounts  from  work,  and  downloading  files 
to  removable  media  or  to  laptops.  In  the  case  selected,  the  insider,  employed  by  a  firm  manufac¬ 
turing  primarily  electronic  devices  and  microprocessors,  used  inside  knowledge  and  privileged 
access  to  steal  proprietary  product  information  and  send  it  to  a  competing  firm  in  a  foreign  coun¬ 
try.  After  communicating  back  and  forth  with  a  high-level  official  at  the  foreign  competitor,  the 
insider  submitted  his  resignation  to  his  employer  with  no  mention  of  the  foreign  competitor.  Fol¬ 
lowing  his  notice  of  resignation  and  prior  to  his  last  day  of  work,  the  insider  proceeded  to  email 
several  compressed  sets  of  confidential  files  off  the  network  directly  to  a  contact  at  the  competing 
firm.  The  case  detail  also  suggests  the  insider  had  emailed  sensitive  information  from  the  corpo¬ 
rate  network  before,  specifically,  to  a  personal  email  address. 

Using  the  aforementioned  framework  method,  we  begin  by  breaking  out  key  components  of  the 
case  into  technical  areas  of  interest.  First,  we  consider  the  above  introduction  to  the  case  to  be  a 
summary  of  sufficient  length  and  detail  to  provide  the  analyst  a  clear  picture  of  what  happened. 
Second,  we  identify  the  target  asset:  stolen  trade  secrets.  Next,  we  consider  the  source  of  the  asset, 
which  appears  to  have  been  a  repository  of  sensitive  documents,  likely  a  file  server.  Lasfly,  the 
medium  used  to  exfiltrate  the  data  was  the  corporate  network,  specifically  the  standard  corporate 
email  environment,  from  which  the  insider  sent  an  email  directed  to  an  individual  at  a  foreign 
competitor  firm. 

Next,  when  considering  control  strategies,  we  examine  what  may  have  prevented  the  crime,  led  to 
its  detection  via  monitoring,  or  allowed  for  more  efficient  and  effective  incident  response  after  the 
crime  occurred.  Of  the  three  outcomes  we  consider,  prevention  is  preferable.  However,  this  is  not 
always  possible,  especially  in  organizations  that  move  millions  of  email  messages  across  their 
network  every  day. 

Moving  to  the  next  control  type,  detection,  we  find  the  biggest  opportunity  for  improvement.  An 
important  link  between  the  behavior  of  the  insider  and  the  technical  countermeasures  exists  when 
we  consider  whether  or  not  the  insider  had  been  subjected  to  additional  monitoring  as  a  result  of 
his  pending  resignation.  In  this  case,  we  know  that  the  insider  submitted  his  resignation  in  ad¬ 
vance  of  ending  his  employment  with  the  victim  firm  and  that  the  data  was  stolen  during  this  pe¬ 
riod.  Also,  we  know,  through  our  work  in  system  dynamics  modeling,  that  65  percent  of  insiders 
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steal  information  within  a  month  of  resignation  [Moore  2009].  This  compelling  statistic  on  insider 
behavior  creates  an  interesting  opportunity  from  which  we  derive  the  following  sample  of  a  can¬ 
didate  technical  control  in  our  instructional  demonstration.  Also,  while  the  65-percent  measure  is 
by  no  means  sufficient  to  be  considered  an  assured  way  of  detecting  insider  data  exfiltration,  it 
remains  a  substantial  finding  that  allows  for  the  creation  of  informed  rales  from  empirical  find¬ 
ings.  In  concert  with  other  strategies,  for  example,  targeting  this  rale  toward  insiders  who  have 
exhibited  other  behaviors  that  make  them  more  likely  to  commit  a  crime  against  the  organization 
should  be  far  more  effective  than  the  65  percent  statistic  suggests. 

To  create  the  example  control  for  a  demonstration  video,  we  considered  the  primary  exfiltration 
method  (email)  and  ignored  other  media  the  insider  may  have  used  to  conduct  the  crime.  In  a 
workshop  setting,  where  these  demonstration  videos  are  most  frequently  used,  the  intent  is  to 
drive  home  the  “big  picture”  view  of  insider  crime  rather  than  focusing  overly  on  any  one  beha¬ 
vioral  or  technical  detail.  We  also  considered  which  tools  would  potentially  provide  visibility  into 
the  insider’s  movement  of  the  data  off  the  network  via  email.  While  there  are  several  security  ap¬ 
pliances  and  points  between  the  client  and  the  gateway  where  the  message  traffic  could  be  in¬ 
spected,  we  were  interested  in  an  approach  that  focused  on  our  suggested  best  practices  related  to 
auditing  and  monitoring  [Cathey  2003].  Specifically,  we  are  interested  in  how  we  can  utilize  cen¬ 
tralized  logging,  or  a  centralized  log  querying  mechanism,  to  tie  in  the  known  technical  indicators 
of  insider  crime  with  known  behavioral  aspects.  The  technical  indicator  in  this  case  is  the  email  to 
a  direct  competitor’s  domain  containing  an  attachment.  The  key  behavioral  aspect  of  this  type  of 
crime  is  the  finding  that  65  percent  of  insiders  steal  within  the  one-month  window  surrounding 
resignation. 

To  demonstrate  this,  we  created  a  small  virtual  environment,  designed  as  a  microcosm  of  an  en¬ 
terprise  network.  The  environment  used  for  this  demonstration  consisted  of  tools  and  appliances 
ranging  from  net  flow  collectors  to  a  Microsoft  Exchange  infrastructure  for  handling  corporate 
email.  With  these  services  configured,  we  added  a  Splunk  appliance,  chosen  primarily  for  ease  of 
configuration  and  our  prior  experience  with  the  tool  on  other  operational  networks  [Splunk  2010]. 
Splunk  served  as  a  central  query  system  for  accessing  both  the  Exchange  logs  and  the  domain 
controller  event  logs.  The  complete  lab  network  topology  is  shown  in  Figure  2. 
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Figure  2:  Sample  Lab  Topology  for  Creating  Demonstrations  and  Testing  Candidate  Technical  Con¬ 
trols  and  Indicators 

The  demonstration  shows  two  methods  of  using  Splunk,  or  an  equivalent  tool  set,  to  implement  a 
query  based  on  tracking  email  by  volume  and  destination  from  employees  who  have  accounts  set 
to  expire  on  a  certain  date,  as  well  as  queries  that  retrieve  the  prior  30  days’  worth  of  email  traffic 
for  an  insider  whose  account  is  disabled,  as  shown  in  Figure  3.  The  demonstration  goes  on  to 
show  how,  through  creating  simple  queries  in  the  tool  based  on  information  derived  from  prior 
modeling  work,  we  can  dramatically  narrow  the  scope  of  our  investigation  to  a  handful  of  email 
messages  sent  in  a  short  period  to  a  set  of  undesirable  message  recipients.  This  immediately  nar¬ 
rows  the  security  operators’  search  space  from  potentially  millions  of  email  messages  to  a  much 
more  manageable  set  associated  with  an  individual  who  is  likely  to  steal  information  within  a  very 
specific  timeframe  with  a  high  degree  of  confidence.  The  demo  also  allows  an  instructor  to  pause 
at  various  points  during  the  demonstration  to  engage  in  discussion  with  the  audience  about  vari¬ 
ous  ways  of  implementing  the  suggested  queries  and  how  they  can  be  modified  to  operate  in  al¬ 
ternate  tool  environments  or  use  different  organizational  security  policies.  The  important  lesson  is 
that  the  suggested  controls  are  easily  tailored  for  varying  environments,  rooted  firmly  in  real  case 
data,  and  tied  closely  to  peer-reviewed  articles  on  behavioral  models  associated  with  each  type  of 
crime. 
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Figure  3:  Screenshot  from  Demo  Video  Showing  an  Aiert  from  a  Spiunk  Ruie  Derived  from  Modeis  of 
insider  Theft  of  iP 
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7  Linking  Vuinerabiiity  Metrics 


A  key  component  to  a  successful  insider  threat  strategy  includes  asking  organizations  to  identify 
critical  assets  and,  therefore,  where  controls  such  as  those  we  are  interested  in  creating  should  be 
applied.  Complementary  work  at  CERT  aims  to  quantify  an  organization’s  vulnerability  to  insid¬ 
er  threat  based  on  an  assessment  of  the  organization’s  security  posture  and  known  information 
about  how  insiders  have  previously  exploited  organizational  weaknesses.  This  work  benefits  from 
the  fact  that  the  over  400  existing  cases  of  insider  crime  have  been  analyzed  individually  to  create 
a  set  of  over  4,000  observed  insider  exploits  and  organizational  vulnerabilities  that  contribute  to 
insider  crime.  Current  work  here  involves  creating  a  firm  taxonomy  that  can  be  used  to  accurately 
classify  the  vulnerabilities  and  exploits  into  a  useful  hierarchy. 

We  suspect  there  are  strong  patterns  in  this  data,  both  in  the  types  of  technical  indicators  that  ap¬ 
pear  in  pairs  or  triplets  as  part  of  an  insider  attack  and  in  behavioral  indicators  that  appear  in  pat¬ 
terns  that  non-lT  security  departments  should  be  able  to  identify  and  report  to  concerned  parties. 
Our  intent  for  our  control  development  and  measurement  work  is  for  each  to  provide  input  to  one 
another  from  which  we  can  create  controls  focused  on  areas  of  particular  weakness  and  vulnera¬ 
bility.  We  also  intend  for  this  work  to  help  organizations  demonstrate,  in  a  quantifiable  way,  how 
they  are  effectively  using  organizational  resources  to  measurably  reduce  their  vulnerability  to  in¬ 
sider  attack.  This  work  is  also  fundamental  to  creating  intelligent  analysis  tools  for  automated 
detection  of  indicators  potentially  signaling  an  imminent  or  in-progress  attack  by  an  insider. 
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8  Limitations 


While  the  preceding  discussion  and  proposed  method  for  creating  candidate  technical  controls  are 
based  on  actual  case  data  and  on  well-received  socio-technical  models  of  varying  types  of  insider 
crime,  it  is  worth  restating  that  the  controls  and  indicators  that  are  in  development  are  considered 
to  be  candidates  in  that  they  are,  as  yet,  untested.  Possible  concerns  that  should  be  considered 
when  piloting  a  candidate  control  or  indicator  include  several  important  issues.  First,  the  number 
of  false  positives  generated  by  an  alert  created  using  a  proposed  control  or  indicator  may  be  high, 
creating  additional  work  for  operators.  While  a  valid  concern,  this  can  be  mitigated  by  the  sugges¬ 
tion  that  any  insider  threat  defensive  strategy  should  be  multi-faceted,  relying  on  no  single  alert 
from  a  monitoring  tool  or  a  single  report  for  a  human  being  in  the  organization.  In  concert  with 
other  indicators,  reports,  and  concerns,  a  candidate  indicator  can  be  more  useful  and  likely  report 
to  an  operator  with  more  accuracy  than  it  would  on  its  own. 

An  additional  point  of  concern  involves  a  discussion  of  the  source  material  itself.  While  the 
CERT  Program’s  insider  threat  case  library  includes  over  400  cases  of  actual  insider  crimes,  it  is 
important  to  consider  that  this  library  by  no  means  represents  all  insider  threat  cases.  As  already 
noted,  insider  crimes  go  unreported  and  undetected  for  a  variety  of  reasons,  not  the  least  of  which 
is  lack  of  sufficient  evidence  to  attribute  the  crime  to  an  individual  and  prosecute.  Further,  an  ar¬ 
gument  can  be  made  that  these  400  cases  were  identified  and  prosecuted  because  the  insiders  in¬ 
volved  were  somehow  not  as  effective  as  those  insiders  who  are  not  prosecuted  due  to  lack  of  evi¬ 
dence  or  those  who  go  undetected  entirely.  While  these  are  problems  associated  with  case 
collection,  the  400  cases  nonetheless  represent  a  significant  set  of  insider  crimes  and  provide  the 
best  mechanism  available  to  us  for  studying  insider  crime. 

Candidate  indicators  and  controls  may  also  fail  to  act  as  a  preventative  measure  entirely  and  serve 
only  as  a  passive  alerting  mechanism  to  an  attack  in  progress.  While  prevention  is  likely  the  pre¬ 
ferred  avenue  for  an  organization  considering  these  candidate  controls  and  indicators,  it  should  be 
noted  that  this  work  is  not  attempting  to  design  forecasting  routines  for  predicting  insider  attacks. 
While  some  rules  may  be  preventative  in  that  they  alert  an  operator  and  allow  them  time  to  en¬ 
gage  and  stop  an  insider  attack  in  progress,  a  passive  alert  may,  if  nothing  else,  enable  incident 
response  activities.  In  particular,  the  added  monitoring  and  alerting  from  an  informed  set  of  can¬ 
didate  controls  could  lead  to  improved  ability  to  attribute  a  crime  to  an  individual  and  prosecute, 
if  so  desired.  While  future  work  in  prevention  and  prediction  is  interesting,  this  work  is  not  in¬ 
tended  to  accomplish  the  latter  directly,  and  the  former  is  likely  a  product  of  a  mature  insider 
threat  strategy  across  the  enterprise  and  not  just  from  any  single  indicator  or  control. 

Lastly,  any  discussion  of  a  monitoring  strategy  should  be  accompanied  by  an  equally  important 
discussion  with  the  organization’s  human  resources,  legal,  and  senior  leadership.  Since  monitor¬ 
ing  strategies  and  technical  controls  designed  to  detect  malicious  human  behavior  may  tread  into 
areas  relating  to  employee  privacy,  strategies  may  be  tempered  by  the  laws,  regulatory  require¬ 
ments,  and  other  governing  practices  and  policies  at  an  organization.  Further,  the  choice  of  con¬ 
trols  and  indicators  will  obviously  vary  depending  on  who  has  operational  responsibilities  for  res¬ 
ponding  to  the  controls  and  indicators.  For  example,  a  counterintelligence  organization  may 
choose  controls  and  respond  to  alerts  differently  than  a  typical  security  operations  center. 
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Over  the  course  of  the  next  year,  CERT  plans  to  develop  a  suite  of  candidate  indicators  and  con¬ 
trols  for  testing  in  both  lab  and  operational  environments  to  determine  effectiveness  of  the  con¬ 
trols  themselves  and  the  method  by  which  they  are  created.  Further  testing  could  also  lead  to  im¬ 
proved  educational  materials  that  convey  the  importance  of  a  blended  strategy  of  technical  tools, 
organizational  behavior,  and  policy. 
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9  Conclusion 


While  the  behavioral  modeling  of  insider  crime  has  matured  steadily  in  the  last  several  years, 
there  has  been  a  growing  need  to  link  these  findings  to  the  creation  of  informed  and  useful  tech¬ 
nical  controls  for  combating  insider  crimes.  In  this  paper,  we  have  discussed  a  simple  method  for 
extracting  candidate  information  for  technical  controls  from  real  cases  of  insider  crime.  We  have 
also  shown  how  this  method  has  led  to  the  creation  of  useful  instructional  materials  in  the  form  of 
demonstration  videos.  Finally,  we  discussed  future  work  linking  vulnerability  metrics  to  technical 
controls  to  provide  even  more  granular  information  to  an  organization  deciding  where  to  allocate 
resources  to  stop  malicious  insiders.  These  items  are  critical  to  the  discussion  surrounding  the 
development  of  improved  insider  threat  tools,  specifically  concerning  development  of  informed 
indicators,  triggers,  and  alerts  in  a  way  that  does  not  overwhelm  the  organization  with  false  posi¬ 
tives,  but  rather  works  through  alerts  rooted  in  real  case  information  and  which  are  genuinely 
cause  for  concern. 

We  also  believe  successful  application  of  the  principles  discussed  in  this  paper  (those  concerning 
theft  of  IP  and  sabotage  cases)  could  lead  to  interesting  work  in  the  insider  threat  space  specific  to 
combating  national  security  espionage.  CERT  has  catalogued  over  120  cases  of  espionage  to 
study  the  methods  used  by  spies  against  the  United  States  government.  Further  work  in  this  area 
could  greatly  benefit  counterintelligence  analysts  and  information  security  personnel  who  are  de¬ 
fending  national  security  information. 
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